since I need to do EJB calls and access JMS queues through a firewall I started with setting it up to use http as bearer and that was quite simple but when I tried to turn on https I had major problems. The instructions in the AdminDevel book was for Tomcat 4 but it was not hard to figure out how to do it with tomcat 5 (uncomment the appropriate part in server.xml) and so I got it up and running.
When trying to connect however I kept on getting an Exception thrown from the client with message "No trusted certificate found". The JBoss doc doesn't mention that since the generated certificate is not signed by a trusted certificate authority, it has to be imported into the jvm cacert keystore. That is accomplished like this:
Export the certificate from https.keystore:
keytool -export -v -rfc -alias https -file https.cert -keystore c:\java\jboss-3.2.5\server\default\conf\https.keystore
Import it into cacerts:
keytool -import -v -trustcacerts -alias my.hostname.com -file https.cert -keystore c:\java\j2sdk1.4.2_04\jre\lib\security\cacerts
I used the hostname as alias to be able to keep track of it. The default password of cacerts is "changeit".
However, then I started to get exceptions with message "HTTPS hostname wrong: should be <my.hostname.com>". That puzzled me quite a bit since I couldn't find it mentioned anywhere in the JBoss doc and at Sun's javaforums I only found descriptions about how to workaround it programatically.
After much of pondering I recalled that the common name of the certificate have to be the hostname. I.e. when generating a key with keytool, when it asks for your first name and last name, write the hostname as first name and leave last name empty. Then the certificate will be correct.
I hope this can be helpful for those of you struggeling with the same problem.